Wishbone

A hacker has leaked 40 million Wishbone user records that contain a treasure trove of information that could be used to perform phishing campaigns, account takeovers, and credential stuffing attacks.

BleepingComputer has been able to independently confirm that the data is legitimate as it contains user records for people we know have used the app and who have confirmed the accuracy of the data.

Wishbone database leaked on hacker forums

Wishbone is a popular app for iOS and Android that allows users to create comparisons between two images that people can then vote on.

For weeks, BleepingComputer has been aware of a data breach broker selling an alleged database containing 40 million user records for the Wishbone app through private deals.

According to cyber intelligence firm Cyble, who shared this information with BleepingComputer, the database was circulating privately since March.

Yesterday, a different data breach seller publicly advertised the sale of the Wishbone database on a popular hacker forum where they were selling it for $8,000.

Wishbone database for sale
Wishbone database for sale

This seller told BleepingComputer in previous conversations that he collects, trades, and buys databases from data breaches and then sells them to others.

We were also told that this database was dumped at the end of January 2020.

Today, another data breach seller and competitor known as Shiny Hunters, decided to leak the entire database for free on the same hacker forum.

Wishbone database leaked for free
Wishbone database leaked for free

Shiny Hunters have been responsible for the sale of numerous data breaches, including one for Microsoft's private GitHub repository. Since then, some of these have been confirmed as data breaches by the affected companies.

We can expect to see tensions escalate between the two threat actors as both brokers are known to sell legitimate data.

This could lead to other private databases being leaked for free as each tries to spoil the other's sales.

What's in the database

Samples of the Wishbone database have been shared with BleepingComputer that unfortunately contains a great deal of data that can be useful to threat actors.

This exposed data includes usernames, email addresses, hashed MD5 passwords, mobile numbers, Facebook and Twitter access tokens, gender, date of birth, MD5, profile images, and much more.

A full list of the exposed information can be seen in the leaked table structure below:

uid,username,email,name,mobile_number,country_code,fbid,access_token,auth_token,ip,create_time,twitter_id,twitter_access_token,twitter_access_secret,gender,date_of_birth,password,image,follower_count,device_token,android_device_token,is_admin,timezone,displaying_post_date,is_device_active,shared_for_date,show_second_session_date,apple_idfa,google_advertiser_id,stickers_left,deleted_at,updated_at
Sample of records in database
Sample of records in database

BleepingComputer has contacted Wishbone with a sample of the data but has not received a response.

Unfortunately, this is typical for companies that we contact to notify of alleged data breaches. 

What should Wishbone users do now?

As some of the exposed data in this database file has been confirmed as accurate, it does appear to be a legitimate breach.

Due to this, out of an abundance of caution, I would suggest that all Wishbone users immediately change their passwords on the app.

If they have logged in via Facebook or Twitter, it is also suggested that you disconnect these apps from your Facebook account and Twitter accounts until it is confirmed if the data breach is real.

Finally, if you use your Wishbone password at other sites, you should change it there.

To check if your information was exposed in this database, you can check using Cyble's AmIBreached data breach lookup service.

Related Articles:

Retail chain Hot Topic hit by new credential stuffing attacks

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

Fujitsu found malware on IT systems, confirms data breach

AT&T says leaked data of 70 million people is not from its systems

French unemployment agency data breach impacts 43 million people